Analysis by: Nikko Tamana
ALIASES:

W32/Agent.JH!tr (Fortinet), W32/QQhelper.C.gen!Eldorado (FProt), Exploit.Win32.ShellCode (Ikarus), TrojanDownloader:Win32/Jadtre.B (Microsoft), a variant of Win32/Wapomi.AO virus (NOD32), Infostealer.Gampass (Norton)

 PLATFORM:

Windows 2000, Windows XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Tamaño del archivo 83,968 bytes
Tipo de archivo EXE
Fecha de recepción de las muestras iniciales 13 Oct 2012

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %System%\{random file name}.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System%\{random file name}.tmp
  • %System%\appmgmts.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This backdoor deletes the following files:

  • %System%\appmgmts.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrsx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avguard.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avmailc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avshadow.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avwebgrd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bdagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dwengine.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
egui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FilMsg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kmailmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpopserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmgui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kswebshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvexpert.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvxp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwsupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxedefend.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxesapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxescore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxeserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxetray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
livesrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcmscsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McNASvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcods.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McSACore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcsysmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcvsshld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mfefire.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MOBKbackup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MpfSrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC1.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msksrver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MsSvHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCAddWidget.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr_tz_Setup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCUPDATE.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qutmserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsmgrsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sched.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
seccenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SfCtlCom.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spideragent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SpIDerMl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spidernt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spiderui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SuperKiller.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TMBMSRV.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TmProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Twister.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UfSeAgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3PScan.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3SP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vgchsvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
VPSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ÐÞ¸´¹¤¾ß.exe
Debugger = "ntsd -d"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Start = "3"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Type = "1"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "%System%\{random file name}.sys"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360hotfix.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SAFE_INSTALLER.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugge = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360se.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SoftMgrSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360speedld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
afwServ.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ast.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastUI.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avcenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgcsrvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgemc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnsx.exe
Debugger = "ntsd -d"

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.244
  • {BLOCKED}0.{BLOCKED}9.92.242
  • {BLOCKED}0.{BLOCKED}9.92.239
  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.236
  • {BLOCKED}0.{BLOCKED}9.92.250
  • {BLOCKED}0.{BLOCKED}9.92.251
  • {BLOCKED}0.{BLOCKED}9.92.254
  • {BLOCKED}0.{BLOCKED}9.92.249
  • {BLOCKED}0.{BLOCKED}9.92.240
  • {BLOCKED}0.{BLOCKED}9.92.243
  • {BLOCKED}0.{BLOCKED}9.92.253
  • {BLOCKED}0.39.92.241
  • {BLOCKED}0.{BLOCKED}9.92.246
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.237
  • {BLOCKED}3.{BLOCKED}4.193.128
  • {BLOCKED}3.{BLOCKED}4.193.125
  • {BLOCKED}2.{BLOCKED}6.167.95
  • {BLOCKED}d.{BLOCKED}v.com
  • www.{BLOCKED}u.com
  • www.{BLOCKED}4.info

NOTES:

It modifies the file attributes of %System%\drivers\etc\hosts to RHS (Read-only, hidden and system file).

It deletes the original %System%\appmgmts.dll and replaces it with a copy of itself with the same filename as with the deleted file. In this way, the malware registers itself as a service to ensure its execution every startup.